NASDAQ OMX Acquires BWise… Where Is GRC Headed?

Last week saw news that yet another top GRC software vendor has been acquired, following in the footsteps of Paisley, Archer, OpenPages, among others. BWise has always been an impressive vendor in the GRC space, so first off I think congratulations are in order for both parties.

That said, if you didn't foresee NASDAQ getting into the GRC software space coming, don't beat yourself up… after seeing the large technology vendors and content providers enter the space over the past 3 years, this wasn't an obvious move. But looking a little deeper, NASDAQ's move makes sense for a couple reasons:

- NASDAQ's target market cares about GRC. NASDAQ lists its target roles as marketing/corporate communications, board and corporate secretary, investor relations, and corporate finance. All of these roles have a vested interest in better controls, stronger risk management practices, and improved corporate governance.

- BWise has always focused on the "G" of GRC. More than any other of the top GRC software vendors, BWise targeted governance professionals with capabilities such as entity management.

- There are immediate integration possibilities. Among NASDAQ's corporate solutions are products for board management, whistleblower reporting, and XBRL filing. BWise has a host of capabilities (issue management, process management, policy management, reporting, etc.) that could quickly add value to implementations of those products.

But, as always with a deal like this, both parties will have to show the market how they will address some key questions:

Don’t Forbid Employees From Using The Escalator, Give Them Reasons To Use The Stairs

Guest post from Researcher Nick Hayes.

If you had to go up one level in a train station, would you take the stairs or use the escalator? Most people would choose the escalator. But what if the staircase played musical notes like an interactive piano? This may change things, right? A couple of years ago, Volkswagen began sponsoring an initiative called The Fun Theory that tested the degree to which they could change people's behavior for the better by introducing an element of fun. In one example, they found that by adding a unique element to the stairs - transforming it into an interactive piano - they were able to increase staircase use by 66%. You can watch the short video here.

You can apply this same principle to your training and awareness programs -- find your own piano staircase, and use it to begin guiding people to choose the right thing on their own. Chris and I have been working on a report that stresses the importance of organizational culture in the development of risk and compliance programs. Throughout the research process, we asked risk and compliance professionals and vendors in the space the same question: "How are you influencing and promoting positive behavior?"

You can create new technical controls and policies, and you can require employees to sign attestations all day, but these efforts have minimal value (or worse) when there's no positive reinforcement. When compliance and risk management are considered obligatory tasks, rather than meaningful efforts that the company values, it diminishes the perceived importance of ethical behavior.

Instead, engage employees using different multimedia channels, and maybe even add in touches of humor and fun.

Risk Monitoring Growing Concern for CIOs

There are a large number of types of GRC software, with most of them focusing on one area of GRC. For a CIO, one of the biggest concerns over the past few years has been the growing number of compliance mandates. GRC tools that focus on the compliance part of GRC have turned out to be useful for many CISOs. CISOs have been able to take advantage of the structured enterprise -wide approach to regulatory compliance that’s made possible by GRC software. So, this has been a blessing.

Compliance, the “C” in GRC is not enough anymore, however. Risk (the “R” in GRC) management is now taking on a more prominent role in organizations, and the CISO is tasked with continuous enterprise risk management. Protecting critical assets and continuous risk monitoring has become a high priority item for CISO’s in most organizations.

Increasing risk management and compliance mandates have made GRC automation technology an essential commodity, rather than a luxury. CISOs today can no longer hope to keep with the current and emerging compliance mandates and risk management requirements without sophisticated GRC technology. The old days of reactive compliance management seem to be headed out the door – today, strategies such as continuous assessments to comply with varying compliance requirements and to safeguard against risk are going to be the way CISOs are going to be managing GRC. Strong GRC software is what makes it possible to make this type of continuous compliance and risk assessment part of an organization’s lifestyle.

CISOs all over the world are making the transition from IT and information security to information risk management. Continuous control automation and monitoring is the way to make this possible, making GRC software the bedrock of information risk management.

A Few Thoughts On Communicating Risk

In my new report, The Risk Manager's Handbook: How To Measure And Understand Risks, I present industry best practices and guidance on ways to articulate the extent or size of a risk. More than the interpersonal, political, and leadership skills required of a risk management professional, defining how risks are measured and communicated is where I believe they prove their worth. If risk measurement techniques are too complicated, they may discourage crucial input from colleagues and subject matter experts... but if they are too simple, they won't yield enough relevant information to guide important business decisions. Great communication skills can only hide irrelevant information for so long.

This report includes factors to use in the risk measurement process, ways to present risk measurement data in meaningful ways, and criteria to use when deciding which of these methods are most appropriate. As always, your feedback is welcome and appreciated.

In addition, I will be covering a related topic with our Security and Risk Council in a session called Creating A High-Impact Executive Report along with my colleague Ed Ferrara at Forrester's upcoming IT Forum: Accelerate At The Intersection Of Business And Technology, May 25-27, in Las Vegas. Please join us if you can make it. Later in the week, I will be available for 1-on-1 meetings with attendees, and I'll also present sessions on linking goverannce and risk and establishing good vendor risk management practices. I hope to see you there.